Now More Than Ever, it's Crucial for Companies to Get Cybersecurity Right

Many consequences of cyber breaches have been well-documented, including financial and reputational damage. Recent developments, however, show that another serious consequence stands to become top of mind for business leaders: legal action against both the management and members of the boards of directors of organizations that suffer cyber breaches.

According to cybersecurity expert Joseph Steinberg, the SEC's recent charges against the chief information security officer (CISO) of SolarWinds, combined with its new cybersecurity disclosure rules, should leave no doubt in anyone's mind that the government is demanding companies to "get their cybersecurity houses in order."

"In a worst-case scenario, a cyber breach could lead to criminal charges against people," Steinberg says. "We are talking about not only financial penalties, but, under some circumstances, potential prison time."

Shifting the Onus of Responsibility to Company Leaders

The SEC's filing against the SolarWinds CISO is not the first instance in the United States of criminal charges being leveled against a cybersecurity professional. Steinberg points to the case of former Uber chief security officer (CSO) Joseph Sullivan, who, until his sentencing, faced potential prison time for his role in the attempted covering up of a 2016 data breach that exposed personal information for more than 50 million customers of the ride-hailing platform. According to an article in SC Media, the former Uber CSO was ultimately punished with a probation sentence, a fine and a requirement to perform community service "tied to a cover-up of Uber's 2016 breach."

However, the SEC's new disclosure rules and its charges against the SolarWinds CISO have potentially changed the equation for companies when it comes to cyber breaches, Steinberg explains. The federal government is taking cyber breaches seriously, and company leaders should heed the recent news as a warning.

"Essentially, the onus has shifted as to who is responsible," Steinberg says. "Instead of viewing cyber incidents as something that happened to a company, as something that doesn't necessarily need to be explicitly explained in filings or revealed to the public, the new rules basically say that if an incident occurs, the company's management and board are responsible to ensure that they adequately explain to the world what happened."

Steinberg stresses that being upfront with investors about material cyber risks is paramount. In short, investors need to know what a company is doing to address cyber threats, how it has historically handled any cyber incidents, what damages have occurred due to any past cyber incidents and what damages are at risk of happening due to potential future cyber incidents.

"Someone's decision to invest in a company can be dramatically impacted by information about cyber risks," Steinberg says, adding that by not being upfront about cyber risks and incidents, companies could be misleading the public — which can reasonably be considered akin to "falsifying a financial statement."

The Importance of Companies Getting The Right Cyber Expertise

Per analysis by Thomson Reuters, it's "not explicitly mandated" in the SEC's new rules, but "firms are expected to provide details on board proficiency in cybersecurity." The directive from the SEC makes it clear that public corporations have "to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats."

To comply with the SEC's new rules around cybersecurity, companies need board members with the right type of cybersecurity experience and skills, Steinberg says.

"Companies need people on their boards who can oversee the management of cyber risk, not people who are technically savvy but do not understand how to ensure that the business is properly managing cyber risk," he says. "The board must oversee the management of cyber risk rather than seeking to perform or actively manage the job of the CISO."

Unfortunately, many companies do not have board members with adequate, appropriate cyber expertise. Findings from 2023 research conducted by WSJ Pro revealed that the "number of directors at S&P 500 companies who have cybersecurity experience has increased sharply since" 2022; however, the "amount of cybersecurity expertise on boards remains relatively low, at a time when boards are under increased scrutiny for security failings." Specifically, the research found that as of August 31, 2023, "107 directors at 113 companies had professional experience in cybersecurity."

But Steinberg cautions against boards rushing the process of signing on people with cybersecurity expertise.

"One of the problems that many boards face is that they bring on people who aren't necessarily skilled at overseeing cybersecurity," Steinberg says. "Just because someone is an excellent baseball player does not mean that he will make an excellent team manager, and just because someone is an excellent manager does not mean that he will make an excellent team CEO. The same is true when it comes to managing and overseeing cyber risk. Boards need the right combination of experience, skills and talent to properly handle cyber risk, as opposed to merely thinking they are handling it well."

Striking the Right Balance Between Managing and Overseeing Cybersecurity

To that end, Steinberg emphasizes that it is vital for companies to empower the right people to play the right roles when it comes to cybersecurity. Specifically, CISOs, CSOs and other cyber experts should manage cybersecurity and should ensure that the necessary parties perform what is needed in order to handle day-to-day tasks and to develop and implement broader strategies. Board members should oversee the party managing cybersecurity to make sure that the cybersecurity program provides the company with adequate protection (as agreed upon by the board) against cyber risk.

"One of the issues that I see develop on a regular basis is board members getting overly involved in what they think is the oversight of cyber risk—but is actually the management or performance of it," Steinberg says. "In turn, they end up wasting time and energy discussing matters that should be left to the CISO."

He notes that when board members attempt to take cybersecurity fully under their control, it takes away their focus from other elements of the business—and can make a company more exposed than if the management of cyber risk was properly overseen by the right experts.

"Board members who do not understand their appropriate role in dealing with cybersecurity and cyber risk can end up interfering with the CISO or CSO's ability to do their job," Steinberg says. "Additionally, the failure of board members to understand where they fall into a company's cybersecurity and cyber risk management efforts can cause the board as a whole to become distracted—and in turn, fail to address pressing matters across the business."

Ultimately, he says, those organizations that do not yet have cybersecurity expertise present on their boards should take action now.

"In the same way that you wouldn't have a board that lacks accounting and legal expertise, you shouldn't have a board without cybersecurity expertise," Steinberg says. "For many companies, a cyber incident is more likely to pose serious danger than accounting or legal issues."

Ideally, he says, companies should appoint people who are "familiar with the management of information security and cybersecurity."

"To not have that level of expertise is like presenting financial documents to board members with little to no accounting knowledge," Steinberg says.